From: Alexander Kochetkov al.kochet@gmail.com
Hello!
I've done verified boot on Radxa Rock 3A. I've embedded public key in U-Boot SPL and signed FIT image configuration. All the work was done during U-Boot image build. For some use cases building and signing images in one go will be much simple, than building unsigned images and signing later. For example SPL-image for rk3568 called idbloader.img consist of TPL, U-boot SPL and U-boot SPL DTB with public key. So in order to assemble signed idbloader.img lately we have to keep all the intermediate files used during build.
To embed public key, I've replaced u-boot-spl node with blob-ext and generated u-boot-spl-with-pubkey-dtb blob using u-boot-spl-pubkey-dtb entry.
To sign FIT image I've used newly implemented fit property 'fit,sign'.
I haven't sign FIT image nodes, because I had realized that signing configuration is safe and sufficient for verified boot. But I doubt. So I've left that signing scheme in the test.
What do you think, is using signed configuration and signed images at the same time is much safer or doesn't provide any benefits?
Now I thinking about implementing configuration option, something like FIT_SIGNATURE_KEYDIR. The value of the option will be passed to binman using -I.
Alsi I want to embed another public key in the configuration DTB, so it will be used to verify kernel FIT. But I couldn't figure out how to do it using binman.
&binman { u-boot-spl-with-pubkey-dtb { filename = "u-boot-spl-with-pubkey-dtb.bin";
u-boot-spl-nodtb { };
u-boot-spl-pubkey-dtb { algo = "sha256,rsa2048"; required = "conf"; key-name-hint = "uboot-spl"; }; };
simple-bin { ... mkimage { ...
#ifdef CONFIG_ROCKCHIP_EXTERNAL_TPL rockchip-tpl { }; #elif defined(CONFIG_TPL) u-boot-tpl { }; #endif blob-ext { filename = "u-boot-spl-with-pubkey-dtb.bin"; }; };
fit: fit { ... fit,sign; ...
configurations { default = "@config-DEFAULT-SEQ"; @config-SEQ { ... #ifdef CONFIG_SPL_FIT_SIGNATURE signature { algo = "sha256,rsa2048"; key-name-hint = "uboot-spl"; sign-images = "firmware", "loadables", "fdt"; }; #endif }; }; }; }; }
Alexander Kochetkov (3): binman: fix passing loadables to mkimage on first run image-host: fix 'unknown error' error message binman: implement signing FIT images during image build
tools/binman/btool/mkimage.py | 5 +- tools/binman/entries.rst | 7 ++ tools/binman/etype/fit.py | 57 +++++++++++++- tools/binman/ftest.py | 95 ++++++++++++++++++++++++ tools/binman/test/326_fit_signature.dts | 98 +++++++++++++++++++++++++ tools/binman/test/326_rsa2048.key | 28 +++++++ tools/binman/test/327_fit_signature.dts | 98 +++++++++++++++++++++++++ tools/binman/test/328_fit_signature.dts | 61 +++++++++++++++ tools/image-host.c | 2 +- 9 files changed, 446 insertions(+), 5 deletions(-) create mode 100644 tools/binman/test/326_fit_signature.dts create mode 100644 tools/binman/test/326_rsa2048.key create mode 100644 tools/binman/test/327_fit_signature.dts create mode 100644 tools/binman/test/328_fit_signature.dts